When the Bills Come Due, Who is Liable for Credit Card Cyber Theft?

PCI compliance. In these times of rampant credit card fraud, few other words cause such angst for merchants and their counsel. The key to improving your outcome is to understand what is required to prevent a security breach, what is required when one occurs, and what steps can be taken to mitigate penalties, fines and assessments.

A panel of experts recently assembled at the NetDiligence^® Cyber Risk & Privacy Liability Forum provided insight into the PCI adjudication process and its pitfalls.

PCI Defined

The Payment Card Industry (PCI) security standard is used by credit card brands to make certain merchants protect cardholder information. It seems simple enough. But as Dave Navetta of the Information Law Group explained, the process is much more complex than paying a fine for a violation. PCI compliance requires procedures be followed before and after a breach. Credit card brands must be notified. An investigation must commence. And the fines, penalties and assessments can be as difficult to understand as a calculus book.

Enforcement of PCI is typically done through contracts, not litigation, Navetta said. The chain of contracts starts with the card brands at the top, followed by the merchant banks and then the merchant who must adhere to the rules of both if he wants to process credit cards. These agreements are very favorable to the card brands and are pretty consistent across brands.

Essentially, the merchant agrees to pay fines and penalties pursuant to the rules in the agreement. The merchant also is obligated to cover the merchant bank for any fines or costs it incurs. Choosing not to pay is seldom an option. Merchant accounts can be cancelled, or money owed for non-compliance is taken out of the credit card processing until the debt is paid, Navetta said. Some even blacklist a merchant who tries to get out of a contract.

“Those rules and regulations can be hundreds of pages long, thousands of pages long, actually, if you really sift through them all,” Navetta said. “There’s a lot to know and understand, and most merchants, frankly, go into these relationships without any knowledge of what these rules and regulations say about fines and penalties and assessments.”

When There is a Breach

Most often, notification of a security breach comes from a card brand that notices an excessive amount of suspected fraud emanating from cards processed by the merchant. Grayson Lenik, lead security consultant for PSC in San Jose, said the card brand then may contact law enforcement to conduct an investigation. In other instances, the merchant bank asks the merchant to fill out a questionnaire about the breach. In the end, though, Lenik said most breaches require a forensic investigation.

If a merchant discovers a breach, the card brand agreement requires the merchant to notify the card brand. Failure to do so immediately can result in additional non-compliance fines, according to Mark Schreiber of Edwards Wildman in Boston. A card processor then determines whether the breach is large enough to warrant either the card brand or the merchant retaining a PCI Forensic Investigator (PFI).

“The new PCI 3.0 and follow-up guidelines are going to put further pressure on merchants and third parties downstream to comply more rigorously with these rules, implement more policies, internal scans and oversight of other parties in the card eco-stream. PCI compliance is definitely going to become more demanding,” Schreiber told The Advisory.

The PFI

The information contained in the PFI reports largely determines what the merchant's liability and exposure will be, including the fines, penalties and card assessments.

“It should not be taken lightly,” Schreiber cautioned. “It should be reviewed in draft form, preferably beforehand. One can never be too careful about its content, and the ambiguities, the language used, the technology employed, the outcomes, the connection to the PCI standards, and causation. They all need to be explored with exquisite precision.”

Fines, Penalties and Assessments

The merchant’s liability is determined in several ways. Fines and penalties are typically punitive and relate to the facts of the non-compliance. The amount also depends on the merchant and the size of the breach, Navetta said.

He reported seeing smaller merchants get fined by MasterCard^® and Visa^® for $2,000 to $5,000 initially, and then for every month that the merchant is not certified as PCI compliant, it faces more fines and penalties. Egregious fines can reach up to $500,000, he said.

“In most cases, the card brand is the judge, jury and executioner as to when these fines and penalties are going to apply,” Navetta said. “They can also use these fines and penalties as leverage. If a merchant’s not complying or cooperating in a particular investigation, they might find themselves hit with higher fines and penalties.”

Assessments are a different animal. They relate to operating expense, card re-issuance costs and fraud recovery and are designed to compensate the issuing banks whose cards have been exposed, he said. The amount of fraud depends on the magnitude of the breach, how many cards were actually exposed, and then how much fraud was actually on each of the exposed cards. Navetta said the card brands do not have to show that the PCI non-compliance caused the breach, just that it could have caused it.

Since the fourth quarter 2013, fines and assessments that have been levied have increased significantly, according to John Gambale, Head of Professional Liability & Lexington Financial Lines at AIG. In the past, a small-to-middle market enterprise would get a slap on the wrist. Now they are seeing high six-figure losses related to the fraud and the re-issuance of the credit cards.

Controlling the PFI

Schreiber said this all circles back to the PFI investigation and report. Controlling the PFI language and the number of cards deemed to have been exposed during the breach period has a tremendous influence on the fine, penalty and assessment.

Lenik said there is not a great deal of flexibility for most aspects of the PFI report, but an investigator can control language about the security deficiencies that can make a big difference in how a client is treated.

Navetta and Schreiber almost invariably recommended a merchant retain its own forensic investigator at the outset.

“To reinforce the point, because there’s often ambiguity here, and because this PFI report is the key input into the amount of fines and penalties and assessments you may end up paying, to make sure that the PFIs are not over-analyzing the incident in favor of the card brands, and they’re taking a narrow interpretation of the various ambiguities, so that your card exposure is limited, is really the key here and the name of the game,” Navetta said.

If you wait until the PFI report is already out, maybe six months following the breach, you’ve lost your best chance to influence the fines and penalties, he said.

One other point to consider—PFI reports can potentially be discovered by attorney generals or other regulators during future proceedings and litigation. That hasn’t happened, yet, but the risk is there, he said.

Coverage for Cyber Fraud Losses

So, can merchants protect themselves from losses with liability insurance? Gambale said that is happening more and more. He reported a 30-percent increase in cyber liability writings in 2013, and the trend continues this year. Additionally, claims have increased about 50 percent so far this year. His organization accepts two breaches per business day. The severity of breaches has likewise increased, he said.

The complexity of the PCI process makes insurance coverage equally complex, said Neeraj Sahni, a vice president at Willis FINEX North America’s Cyber Practice. Most markets have some type of PCI coverage, either from a separate insurance agreement or an endorsement to the existing policy. The coverage is granted by carving out any fines and penalties from the contractual liability. Also, he said damages typically would have some type of exclusion or carve-out for fines and penalties.

“Remember, PCI is not a regulatory requirement,” Sahni said. “It’s your contractual liability with your card brands, in terms of what your security guidelines should be, based on PCI. If you don’t abide by the security, that’s more like an audit, and you’re not PCI compliant.”

The cost of a credit card breach is not typically the fines, it is the costs incurred by the breach—the cost of card replacement, the cost of subsequent lawsuits and the cost of chargebacks for disputed charges. And it is a question of who is incurring those costs. Sahni said there is a great deal of ambiguity in the coverage for the many moving parts of a PCI breach.

Sahni advised that you understand your exposures before you obtain a policy. Do not just get an endorsement for PCI, because that is what everyone else is getting. Perhaps obtain full limits on PCIs to avoid any ambiguity, he said.

The Complexity of Compliance

Dayce Schrieber, a director at InstaMed^®, laid out how easily a breach occurs, even when companies believe they are compliant. InstaMed is a cloud-based company taking over payments for medical providers and billing companies so that they do not have to be PCI compliant—InstaMed is.

To be compliant, companies need to move credit card information out of their systems, Schrieber said. Do not use the same network for email to process and pass credit card data. Segmenting your network limits your risk exposure. Mobile devices that process credit cards and email are another risk point.

“Email’s a great way to insert malicious software, so you don’t want them together,” Schrieber said.

The ultimate option is to never have the card data touch your environment, he said. Encryption devices hold the data and encrypt it on the device, before the cable reaches the computer. Malicious software can do nothing with it. Encryption devices are expensive, and there are not many out there, but they may be worth it, Schrieber said.

To that end, Lenik advised, “Shut down remote access and change your passwords. You’re leaving the keys in the ignition with a “Steal Me” sign in the window. It’s not rocket science that’s causing these breaches. It’s really very, very simple access.”

The views and opinions expressed in this article are those of the individual sources referenced and do not reflect the views, opinions or policies of the organizations the sources represent